Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 633868 (CVE-2017-14695, CVE-2017-14696) - <app-admin/salt-{2016.3.8, 2016.11.8, 2017.7.2}: multiple vulnerabilities
Summary: <app-admin/salt-{2016.3.8, 2016.11.8, 2017.7.2}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-14695, CVE-2017-14696
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://docs.saltstack.com/en/latest/...
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on: CVE-2017-12791
Blocks:
  Show dependency tree
 
Reported: 2017-10-09 17:53 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-25 00:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-09 17:53:19 UTC
CVE-2017-14695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14695):
  Directory traversal vulnerability in minion id validation in SaltStack.
  Allows remote minions with incorrect credentials to authenticate to a master
  via a crafted minion ID.

CVE-2017-14696 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14696):
  Remote Denial of Service with a specially crafted authentication request.
Comment 1 Larry the Git Cow gentoo-dev 2017-10-12 01:56:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b197479f09b76b5949257698be5d61963c4bf19

commit 1b197479f09b76b5949257698be5d61963c4bf19
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2017-10-12 01:54:37 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2017-10-12 01:56:13 +0000

    app-admin/salt: Version bump to 2016.3.8
    
    Bug: https://bugs.gentoo.org/633868
    Package-Manager: Portage-2.3.11, Repoman-2.3.3

 app-admin/salt/Manifest             |   1 +
 app-admin/salt/salt-2016.3.8.ebuild | 147 ++++++++++++++++++++++++++++++++++++
 2 files changed, 148 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3f64b31e3f0527ad788ec0dcab65c92178fbcea

commit d3f64b31e3f0527ad788ec0dcab65c92178fbcea
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2017-10-12 01:18:42 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2017-10-12 01:56:11 +0000

    app-admin/salt: Version bump to 2017.11.8
    
    Bug: https://bugs.gentoo.org/633868
    Package-Manager: Portage-2.3.11, Repoman-2.3.3

 app-admin/salt/Manifest              |   1 +
 app-admin/salt/salt-2016.11.8.ebuild | 146 +++++++++++++++++++++++++++++++++++
 2 files changed, 147 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d082e7a9c6c822343f67951dbbcb180714bc1699

commit d082e7a9c6c822343f67951dbbcb180714bc1699
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2017-10-12 01:11:16 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2017-10-12 01:56:10 +0000

    app-admin/salt: Version bump to 2017.7.2
    
    Bug: https://bugs.gentoo.org/633868
    
    Package-Manager: Portage-2.3.11, Repoman-2.3.3

 app-admin/salt/Manifest             |   1 +
 app-admin/salt/salt-2017.7.2.ebuild | 140 ++++++++++++++++++++++++++++++++++++
 2 files changed, 141 insertions(+)}
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-10-28 14:05:19 UTC
@maintainer, please cleanup.  This also depends on the other comments in bug #627928
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-01-25 00:53:39 UTC
Tree is clean.